[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Blocking GFW probes on the firewall



Hi,

As you may know the Great Firewall of China (GFW) is actively scanning
TOR relays and bridges [1]. Fortunately blocking those probes seem to
be sufficient to prevent GFW from blocking/censoring the service.

The GFW is evolving and probes that we see today will likely be
different in the future. As for now these iptable rules detect active
GFW scans against TOR a bridge. Probes as seen few weeks ago can be
detected by:

$ iptables -A INPUT -p tcp -m string --hex-string
"|00001800390038003500160013000A00330032002F0007000500FF0100000400230000|"
--algo kmp -j LOG --log-prefix "china_long "

$ iptables -A INPUT -p tcp -m string --hex-string
"|00001400390038003500160013000A00330032002F0005020100|" --algo kmp -j
LOG --log-prefix "china_short "

Probes seen recently:

$ iptables -A INPUT -p tcp -m string --hex-string
"|00002800390038008800870035008400160013000a00330032009a009900450044002f00960041000500ff020100000400230000|"
--algo kmp -j LOG --log-prefix "china_new "

Active scans detected by these iptable rules were triggered by a TOR
client in China connecting to a TOR bridge in Europe. These rules are
intended to be used on the TOR bridge side.

If you wish not only to detect, but also to actively reject GFW probes
(and hopefully prevent your service from getting censored), consider
replacing "-j LOG ..." with " -j REJECT --reject-with tcp-reset".

Cheers,
  Marek

[1] http://www.cs.kau.se/philwint/pdf/foci2012.pdf
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk